Following the recent trend in ransomware affiliates, BlackMatter has emerged as the latest ransomware-as-service (RaaS). According to Threat Intelligence company Recorded Future, BlackMatter has announced that they have “incorporated in itself the best features of DarkSide, REvil, and LockBit” as mentioned in an interview. Black Matter cited the following inspirations from each of their partner programs:
- From REvil: The implementation of SafeMode was thought of as weak and not well thought through. BlackMatter then built upon this idea before thoroughly implementing it. They also implemented the PowerShell version of the ransomware variant.
- From LockBit: BlackMatter drew on LockBit’s approach for the implementation of a codebase as well as other minute details.
- From DarkSide: The idea of impersonation (namely, the encryptor’s ability to use the domain administrator’s account to encrypt shared drives with maximum rights) and the structure of the admin panel were borrowed.
With reference to the hacker blog, BlackMatter targets organisations with a revenue of $100 million and more, and minimally 500-15,000 hosts in the network. The threat actor has also disclosed that they will not be targeting industries such as healthcare and state institutions. BlackMatter actively advertises the purchase of network access into organizations, offering a price range of $3,000-$100,000, including a percentage of the potential ransom amount. This modus operandi is gaining notoriety, aligned with other threat actor groups like Lockbit 2.0.
BlackMatter breaches organizations via purchased network access. Once initial access is secured, the threat actor moves laterally to key value targets and exfiltrates sensitive data, thereafter deploying ransomware in a centralised fashion, for instance, via the Domain Controller onto every single endpoint. Upon execution, BlackMatter encrypts files on the victim’s machine in a matter of seconds, disabling file recovery and system restore, and leaving a ransom note on the victim’s machine.
Aside from just leaving a ransom note, BlackMatter alters the background image of the machine and directs the instruction to the README.txt file.
Running the attack
Within seconds of an infection, ReaQta-Hive reconstructs the breach, providing pertinent information related to the behaviours and techniques exhibited.
Leveraging ReaQta’s ransomware protection capabilities, ransomware is autonomously stopped once ransomware behaviour is detected, preventing potential data encryption on the endpoint.
In the case of BlackMatter, ReaQta was effective within seconds, effectively mitigating potential business disruptions and downtime. In addition to stopping the threat, ReaQta’s AI automatically terminated all malicious processes involved in the incident, thereafter closing off the alert and reducing extra actions needed to be taken by the security team.
As ransomware attacks become increasingly rampant, organizations should not treat such attacks as an afterthought but instead have mitigation plans devised and ready.
Ways to defend against a ransomware attack
According to Gartner Analyst, Paul Webber, “organizations need to focus on preparation and early mitigation if they want to cut losses to ransomware.” This mitigation strategy mentioned by Gartner covers the following six points:
- Perform initial ransomware assessments. Engage risk assessments and penetration tests to determine your organization’s attack surface and present state of security readiness in terms of tools, processes and skills to mitigate attacks.
- Ensure ransomware governance. Processes and execution contingency plans need to be in place to ensure swift response in the event of an actual crisis. It is also imperative for key stakeholders to be involved in this preparation.
- Having operational readiness at all times. Routinely stress test security systems that are put in place to ensure ransomware activities can be detected and prevented. Incorporate incident response scenarios into these ransomware response plans, so as to ensure that the systems and processes put in place are not reliant on security systems that may be rendered unavailable in crisis time.
- Maintain backups for internal systems. Back up both data and all applications within the infrastructure. Ensure that backups are done frequently and cannot be compromised in a ransomware attack.
- Employ a Zero Trust security model. Restrict permissions and deny unauthorized access to devices. Remove local administrator rights from end users and block application installation for standard users. Instead, replace this with a centrally managed software distribution facility.
- Instill employee ransomware education. All employees should understand the ransomware threat and should be educated on the steps to take during a ransomware attack.